Raoul sets up hotline on computer breach as ‘ransomware’ group posts files claimed stolen from attorney general’s office

A “ransomware” group potentially linked to Russia has uploaded to a website scores of documents it says were stolen from Illinois Attorney General Kwame Raoul’s office over two weeks after the state’s top law enforcement officer first reported his office’s computer network was compromised.

Raoul had declined to publicly provide details of the hack, but on Thursday, he issued a follow-up statement, saying his office has set up a toll-free hotline for those seeking more information on the breach, which could include “names, addresses, email addresses, Social Security numbers, health insurance and medical information, tax information, and driver’s license numbers.”

But the office said it “has not yet determined what personal information on its network is impacted.”

The latest announcement comes after the ransomware group DoppelPaymer posted 68 documents it said are from the attorney general’s office, as well as other entities they’ve hit, on a website on which a user can find “private data of the companies which were hacked by DoppelPaymer.”

According to the website, the “companies decided to keep the leakage secret. And now their time to pay is over.”

The Chicago Sun-Times accessed the site using a special browser that allows for anonymous communication while on the internet.

Ransomware is a type of malicious software that typically includes threats to publish a victim’s data or block access to that data unless the victim pays a ransom.

The documents from Raoul’s office were initially published on the website on April 21, with more documents added Thursday. The files taken from the Illinois’ chief legal officer include those labeled “judgments entered,” “shakedown cases” and “state prisoners.”

About 200 gigabytes of confidential information will be “progressively uploaded,” the group warns on the site.

Starting Friday, anyone with questions about the network compromise can call the Attorney General’s Computer Network Compromise Hotline at 1-833-688-1949, from 8 a.m. to 5 p.m., Monday through Friday.

Raoul’s office will continue to “evaluate the extent of the network compromise” and information about the breach, and what personal information was affected, will be published on its own website, the statement said.

DoppelPaymer is believed to be based in Russia or Eastern Europe and uses ransomware that’s the product of another cybercrime group called Evil Corp, cyber threat analyst Brett Callow told the Chicago Sun-Times.

The group behind the attorney general’s breach was recently linked to an election data breach in Georgia.

The U.S. Treasury Department issued a press release in 2019 saying it had sanctioned Evil Corp for using Dridex malware to “infect computers and harvest login credentials from hundreds of banks and financial institutions in over 40 countries, causing more than $100 million in theft.”

“Ransomware has fundamentally changed in the last couple of years,” Callow said. “Until the end of December 2019, they simply encrypted their target’s data … so these were very expensive inconveniences. Now, they still encrypt data, but before doing so they steal a copy of it, and they use the threat of releasing the information online unless the targeted organization pays their demand.”

And if the organization refuses, “their data is posted online in a series of installments,” Callow said.

When Raoul first announced the attack on April 13, he said his staff would work with federal authorities to investigate a breach in his office’s network that officials discovered over the previous weekend.

Noreen Nasir/AP file

The state’s top law enforcement officer first learned that the computer network was breached early April 10, Raoul said in a statement released on April 13.

“Since then, information technology staff and investigators from the Attorney General’s office have been working closely with federal law enforcement authorities to evaluate the extent to which the network was compromised,” he said at the time.

“This investigation is ongoing, and I am committed to resolving this situation as soon as possible to ensure that the Attorney General’s office can continue to provide critical services to the people of Illinois.”